SEC Releases Next Series of Proposed Rules Related to Sarbanes-Oxley

On October 22, 2002, the SEC proposed rules to satisfy the requirements of Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002. The proposed rules would:

• Require companies to disclose the number and names of persons serving on the audit committee who are "financial experts";
• Require companies to disclose whether the company has adopted a written code of ethics that applies to the company’s senior financial officers and any changes to or waivers of the code; and
• Require companies to present an internal control report in their annual reports, including a statement of management’s responsibility for the company’s internal controls and procedures for financial reporting, conclusions about the effectiveness of the company’s internal controls based on management’s evaluation and a statement that the company’s auditors have attested to, and reported on, management’s evaluation.

The public has 30 days from publication of the proposed rules in the Federal Register to submit comments to the SEC.

Audit Committee Financial Experts

Sarbanes-Oxley mandated that the SEC adopt rules requiring companies to disclose whether or not they have a financial expert on the company’s audit committee. The definition of "financial expert" for these purposes is more narrow than the financial expertise currently required for listing on the stock exchanges. The proposed rules would require companies to disclose:

• The number and names of persons that the board of directors has determined to be the financial experts serving on the company’s audit committee, and
• Whether the financial expert(s) are "independent," as that term is defined under Sarbanes-Oxley.

If the company does not have a financial expert on its audit committee, it must explain why it does not. The SEC proposed rules explain that the persons designated as financial experts will not be held to a higher degree of responsibility, but rather that the SEC believes it is necessary to make sure that the audit committee has this level of expertise available as a resource.

The board of directors of the company will be responsible for determining whether individuals serving on the audit committee meet the definition of "financial expert." In order to be a financial expert, the board must determine that an individual has, through education and experience as a public accountant or auditor or a principal financial officer, controller or principal accounting officer of a public company, all of the following abilities:

• An understanding of GAAP and financial statements,
• Experience applying GAAP in connection with the accounting for estimates, accruals and reserves that are generally comparable to the estimates, accruals and reserves, if any, used in the company’s financial statements,
• Experience preparing or auditing financial statements that present accounting issues that are generally comparable to those raised by the company’s financial statements,
• Experience with internal controls and procedures for financial reporting, and
• An understanding of audit committee functions.

In addition, the board can determine that someone is a financial expert even if he or she has not served in the specific positions listed above so long as the board determines that the person has similar expertise and experiences and the board discloses the basis for its determination. The SEC release also lists various factors that the board should consider when assessing whether someone is an financial expert.

The disclosure about the financial experts serving on the company’s audit committee will need to be included in the company’s annual report on Form 10-K.

Code of Ethics Disclosure

The SEC also proposed rules that would require a company to disclose whether it has adopted a written code of ethics that applies to its principal executive officer, principal financial offer, principal accounting officer or controller, or other persons performing similar functions. If the company has not adopted such a code of ethics, it must disclose the reasons for not doing so.

In order to satisfy this requirement, a code of ethics must be reasonably designed to deter wrongdoing and to promote:

• Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships,
• Avoidance of conflicts of interest, including disclosure to an appropriate person identified in the code of any material transaction or relationship that reasonably could be expected to give rise to a conflict of interest,
• Full, fair, accurate, timely and understandable disclosure in reports and documents that a company files with, or submits to, the SEC and in other public communications,
• Compliance with applicable laws, rules and regulations,
• The prompt internal reporting to an appropriate person identified in the code of any violations of the code, and
• Accountability for adherence to the code.

The company would also have to file its ethics code as an exhibit to its annual report. Companies would also need to disclose any changes to, or waivers granted by the company from, any provision of the code of ethics applicable to senior financial management. The SEC proposes that any change or waiver would need to be reported on Form 8-K within two business days. Alternatively, companies could report any such changes and waivers on the company’s website if the company indicated in its last Form 10-K that it intends to report any such changes or waivers on its website and gives its website address. If a company uses the website disclosure alternative, it would need to post the information within two business days, keep the information on the website for 12 months and retain a copy of the disclosure for five years in case the SEC requests it.

A company that currently has a code of ethics will need to review the code to determine whether it satisfies the requirements listed above.

New Internal Control Report of Management

The SEC proposed rules also would require companies to include in their annual reports on From 10-K an internal control report of management that includes:

• A statement of management’s responsibilities for establishing and maintaining adequate internal controls and procedures for financial reporting,
• Conclusions about the effectiveness of the company’s internal controls and procedures for financial reporting based on management’s evaluation as of the end of the most recent fiscal year, and
• A statement that the company’s registered public accounting firm has attested to, and reported on, management’s evaluation of the company’s internal controls and procedures for financial reporting.

The term "internal controls and procedures for financial reporting" is defined as controls to ensure that the financial statements are fairly presented in compliance with GAAP as addressed by the Codification of Statements on Auditing Standards § 319 or any other guidance subsequently issued by the Public Company Accounting Oversight Board (PCAOB) that will be established pursuant to Sarbanes-Oxley.

No specific form for the disclosure is provided and the SEC indicated that the disclosure should be tailored for the company’s specific situation and avoid boilerplate language.

The SEC rules would also require the company’s accounting firm to attest to management’s report and file the attestation in the company’s annual report on Form 10-K.

As required by the internal control report and as indicated in the CEO and CFO certifications required under Section 302 of Sarbanes-Oxley, management would be required to evaluate the company’s internal controls and procedures for financial reporting. The SEC proposes that this evaluation must be performed in connection with each annual and quarterly report within the 90-day period prior to filing the Form 10-K or Form 10-Q. The form of CEO and CFO certification required by Section 302 would be revised accordingly.

The SEC proposes that the internal control report and related requirements that are proposed to satisfy the requirements of Section 404 of Sarbanes-Oxley would not be effective until after the PCAOB is established and would apply only to annual reports filed on or after December 15, 2003. However, the SEC has indicated that companies could comply voluntarily with these disclosures and requirements prior to their effective time.